CVE-2026-52813 (GCVE-0-2026-52813)
Vulnerability from cvelistv5 – Published: 2026-06-24 20:33 – Updated: 2026-06-26 03:55
VLAI
KEVIntel
Title
Gogs: Path Traversal in organization name results in RCE through Git hooks
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other's hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gogs/gogs/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/gogs/gogs/pull/8334 | x_refsource_MISC |
| https://github.com/gogs/gogs/commit/f6acd46730594… | x_refsource_MISC |
| https://github.com/gogs/gogs/releases/tag/v0.14.3 | x_refsource_MISC |
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 65a07e8f-71bc-4743-900f-bf9585bfde6d
Exploited: Yes
Timestamps
First Seen: 2026-06-30
Asserted: 2026-06-30
Scope
Notes: KEVIntel entry: Gogs: Path Traversal in organization name results in RCE through Git hooks | Affected: gogs / gogs | CVSS: 10.0 (CRITICAL) | EPSS: 0.01107 | Used in malware: unknown | Not yet in CISA KEV: True
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | Gogs: Path Traversal in organization name results in RCE through Git hooks |
| Vendor | gogs |
| Product | gogs |
| Added Date | 2026-06-30T16:02:32.752Z |
| Cvss Score | 10.0 |
| Epss Score | 0.01107 |
| Cvss Severity | CRITICAL |
| Epss Percentile | 0.6173 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev | None |
| Not Yet In Cisa Kev | True |
References
Created: 2026-06-30 17:00 UTC
| Updated: 2026-06-30 17:00 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-52813",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T03:55:38.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gogs",
"vendor": "gogs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.14.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other\u0027s hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T20:33:42.162Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5"
},
{
"name": "https://github.com/gogs/gogs/pull/8334",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/pull/8334"
},
{
"name": "https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7"
},
{
"name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
}
],
"source": {
"advisory": "GHSA-c39w-43gm-34h5",
"discovery": "UNKNOWN"
},
"title": "Gogs: Path Traversal in organization name results in RCE through Git hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-52813",
"datePublished": "2026-06-24T20:33:42.162Z",
"dateReserved": "2026-06-08T18:11:06.660Z",
"dateUpdated": "2026-06-26T03:55:38.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-52813",
"date": "2026-06-30",
"epss": "0.01107",
"percentile": "0.6173"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-52813\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-24T21:16:57.353\",\"lastModified\":\"2026-06-26T05:16:30.360\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other\u0027s hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"gogs\",\"product\":\"gogs\",\"versions\":[{\"version\":\"\u003c 0.14.3\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-25T00:00:00+00:00\",\"id\":\"CVE-2026-52813\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"references\":[{\"url\":\"https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/pull/8334\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/releases/tag/v0.14.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-52813\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T12:38:10.890016Z\"}}}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T12:37:58.589Z\"}}], \"cna\": {\"title\": \"Gogs: Path Traversal in organization name results in RCE through Git hooks\", \"source\": {\"advisory\": \"GHSA-c39w-43gm-34h5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gogs\", \"product\": \"gogs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.14.3\"}]}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5\", \"name\": \"https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/8334\", \"name\": \"https://github.com/gogs/gogs/pull/8334\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7\", \"name\": \"https://github.com/gogs/gogs/commit/f6acd467305943aae8403cbac81f0118dd1235d7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/releases/tag/v0.14.3\", \"name\": \"https://github.com/gogs/gogs/releases/tag/v0.14.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences (../) are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of Git repositories, one can overwrite the other\u0027s hooks configuration to result in Remote Code Execution (RCE). This vulnerability is fixed in 0.14.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23: Relative Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-24T20:33:42.162Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-52813\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T03:55:38.322Z\", \"dateReserved\": \"2026-06-08T18:11:06.660Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-24T20:33:42.162Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…